Coincidentally, a guildie recently was hacked similarly to how the OP inquired. The hackers called into customer service and claimed the authenticator was damaged in a washing machine. They included a picture of the authenticator. They were refused twice because they didn't know the secret answers and they were coming from a different e-mail account. However, on their third attempt, the cs rep removed the authenticator protection. Our guild is pretty tight and it was obvious that when his toons started coming on and he wasn't logged into Mumble, we started dropping his access, opened up a ticket, and contacted the rightful account owner. Within a day he received his gold and goods back, as well as a getting his authenticator protection back. I would expect that the cs teams were given a swift kick over that and either new policy laid down or re-educated on the existing one. Expect to have to provide a copy of a State ID with the billing info name and address and you'll have to come from the e-mail account that is on your WoW account.